Field of the Invention
The present invention relates to an information processing apparatus, a method of controlling the same, and a storage medium.
Description of the Related Art
In recent years, due to an increase in the number of functions of information processing apparatuses (hereinafter referred to as devices) such as PCs (Personal Computer), multi function peripherals, or the like, devices in offices are provided with many settings. As a consequence, device setting has become complicated, and there is the possibility that the device will be operated with a setting for which there is a risk from a security perspective based on the operation environment of the device. For this reason, it is advantageous that settings of a device in an office be operated in accordance with a security policy (hereinafter referred to as a policy) that a security manager, who manages security in the office, has established. In a large scale office environment, in many cases, the security manager is a different person to the administrator of the devices of the office. In other words, the administrator of the devices manages devices for which setting is performed in accordance with a policy established by the security manager. Accordingly, a general user uses a device which is managed by the administrator, and for which setting in accordance with the policy established by the security manager is performed.
An example of such a policy is a policy for prohibiting the usage of USB (Universal Serial Bus) with the objective of preventing information leakage from a USB memory (hereinafter referred to as a USB usage prohibition policy). Also, another example of such a policy is a policy of forcing the usage of a TPM (Trusted Platform Module), for example, with the objective of safely managing confidential data within devices (hereinafter referred to as a forced TPM usage policy). A TPM is a security chip that has a tamper resistance and is capable of safely managing an encryption key. In general, devices equipped with TPM realize encryption of confidential data and safe management of confidential data by safely managing a key used for the encryption within the TPM.
Furthermore, there is demand for optimization of work that is applied to complicated settings for multiple devices, and an approach for performing multiple settings for multiple devices via a network has been proposed in Japanese Patent Laid-Open No. 2005-99949, for example. With this, it becomes possible for a security manager, or the like, to operate devices in an office with settings in accordance with a unified policy by performing multiple settings via the network on the devices in the office.
There are cases where a specialist worker, dispatched from a support center of a device dealer, determines a condition of a device in an office for maintenance, or upon an occurrence of a malfunction. In such a case, there are cases in which information for analyzing the condition of the device (hereinafter referred to as a log) is stored in a USB memory. Here, in a case where the USB usage prohibition setting is performed for the device, the log cannot be obtained via a USB I/F unless the USB usage prohibition setting is released by the security manager. In other words, there is a problem in that with device operation under the USB usage prohibition setting, while security is improved, convenience is reduced due to the fact that required information cannot be obtained via USB when necessary.
In addition, in a case where a TPM is used, a backup of an encryption key managed in the TPM (hereinafter referred to as a TPM key) is necessary in preparation for a case in which a malfunction or a loss of the TPM occurs. Such a backup of the TPM key is performed by obtaining the TPM key by USB in many cases. However, in such cases, the backup of the TPM key cannot be taken if the USB usage prohibition setting and the TPM usage setting are set for the device by the security manager. In other words, the USB usage prohibition setting and the TPM usage setting are contentious and cannot both be set. In such a case, it is necessary for the security manager to first release the USB usage prohibition setting on all of the devices set in accordance with the policy, and then, after the backup of the TPM key has been completed on all of the devices, to once again perform the USB usage prohibition setting, and this is inconvenient.